Salted Hash: Live from DEF CON - Social Engineering

In this update, we tackle a topic that has always been part of DEF CON

defcon22
Credit: defcon.org

Social Engineering and DEF CON have always gone hand-in-hand, but after some of the things I've seen on the floor this weekend, it would seem that people have forgotten this – or the surge of new attendees have erased that barrier of awareness.

In fact, I'm willing to bet the growth of DEF CON over the last few years has only increased the pool of people completely unaware of Social Engineering, both passive, direct, and indirect.

There have been many examples to what I'm thinking about, but I'm just going to stick to what I feel are the biggest examples for this post.

Example 1:

While moving through the crowds at DEF CON, I overheard someone talking about a new project they're involved with and some of its aspects. I started paying attention to the discussion, because it contained information interesting to the journalist in me, and because we're both headed to the same area of the DEC CON hotel.

It's important to note that they kept talking during the entire walk, seemingly unaware of where they were and who could be listening. We must have passed hundreds of people during the short trip. The two of them were directly in front of me, and I was in the crowd behind them. Everyone could hear what they were saying. It wasn't a quiet discussion.

So what's the problem here?

First, this person should know better (they are a security expert), and second, the project they're working on is related to hacker legalities - some of the archaic laws that are used to prosecute (or threaten) researchers.

It's a touchy topic, and the project itself is in its infancy. But this person seems to have it all worked out, including full mental map of where things are going to go, and how to move it forward.

Why was this person in the wrong?

Because loose lips sink ships, and if word got out about this project before it actually gained any traction, it could be dead in the water. The government and federal law enforcement community can spook easily, and if pressed, they'll take a hardline on just about anything. Also, this project could have political aspects to it, so debates or discussions about it that are fueled by speculation, could kill it before it starts.

How is this related to Social Engineering?

Just sticking to the information that was loudly discussed; I spoke to others referenced by this person, and confirmed the project did exist. From there I was able to get additional details. At this stage, I know how the project started, who's involved with it, early goals, long terms goals, and more.

Great! You have a scoop, so run with it.

No. I want the project to succeed, so I'm not going to scoop it and run with the story. I'm honestly worried that if I do, it will kill it. It's good for researchers and hackers, bad for criminals. This is a good thing.

However, the point of recalling this example is to show how a Social Engineer can use information to their advantage.

A simple walk in the hotel turned into a story. I'd like to think I'm one of the good guys, so at worst the information I have is passively referenced in a short update. Imagine what a criminal could do with details like that, especially if they wanted to derail the entire thing.

Example 2:

The second example isn't as detailed as the first, because said details will actually identify the person(s) involved.

  • If you do shady things at the office in the off-hours, don't tell a bar full of people about it, especially after you handout business cards and try an arrange demos.
  • If you surf company emails in the chill-out room, while sitting at that comfy table, everyone walking behind you will be surfing with you. However, given that your emails were from IT, and contained details on the Office 365 roll-out (username, password, domain details), perhaps they’ll surf to other things later.
  • If you're using your laptop in the bar, you should take care to notice who is around you. In this case, you should have noticed the five people who were reading the same internal memo on product vulnerabilities you were.
  • If the previously mentioned product vulnerabilities are not patched, and remotely exploitable, perhaps you shouldn't have a laptop bag branded with the product's name.
  • While using social media at DEF CON, (which you shouldn't do on the show floor) you should be aware that not only did you broadcast the discussion you had on Facebook Messenger to anyone who walked by, but sharing your account password in said messenger conversation was a certain no-no. In addition, your friends list was showing, and that's an interesting group affiliation you have there.
  • STOP WALKING AWAY FROM THE TABLE AND LEAVING YOUR LAPTOP UNATTENDED!

It's okay to be social at DEF CON, it's highly encouraged. But it's wise to remember that little bits of information can add up, and depending on how they’re used, it can end badly. Likewise, most of us are adults and have jobs, but be careful with the information you share, or where / how you access it.

While physical security isn't a Social Engineering issue, it's still annoying to see and rated a mention.

Update:

Based on conversations from the show floor, and the messages I've gotten, this story needs a bit of clarification.

So, yes I did self-censor and withhold other examples. I'm not out to name and shame, just make a point. Also, yes, I was intentionally vague with Example 1, but the person who was directly involved knows who they are.

Some of the times listed might not be direct Social Engineering, such as shoulder surfing, or eavesdropping. However, Social Engineering is about using information and situations to your advantage. In that case, each of the items listed can be used to instigate or further a Social Engineering attack, or initiate another direct attack.

As for Example 1, this is a classic Social Engineering setting, because I used the broadcasted information in the hallway to further an investigation into the topic. I started with nothing, and ended with something. That is Social Engineering. It's not always about lies and attacks; it's about information gathering and manipulation.

With that said, Social Engineering isn't a bad thing. For example, it can be used to calm an interview subject who is doing their first interview with the media. It can be used to relax the subject, and to place them in a comfortable spot, help them get over the fear and focus on the topic – often something they are passionate about.

By keeping them focused on their passion and the topic at hand, the journalist is manipulating the situation and to a degree the subject. It isn't malicious, not in the slightest, but it is Social Engineering.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.